A CISO Tuesday at Stanford
Pillars and practices
Love: I am awoken by a dog enthusiastically licking my face. It’s Roxie the Doxie — my trusty four-legged alarm clock that is apparently set to 7am. Her sister, Cali the Corgi, is patiently staring at me from the floor, eager to start her day. I try to contain my laughter so my wife Nikki can continue her slumber.
Silver linings: Looking around the room, I am reminded that Nikki and I are 2400 miles from Stanford, in my hometown of Monroe in southwestern Ohio. Knowing that most Stanford staff would be working remotely until at least January 2021, we temporarily relocated here two months ago. It’s the most time I’ve spent with my family in 30 years — invaluable! Being three hours ahead of Stanford has its advantages too. It’s only 4am back at Stanford!
Chaos breeds opportunity: I have long championed remote work, but never thought I would be among those working remotely. The pandemic has shown me and the team that we can be productive in this new normal. It will also enable us to dramatically expand our candidate pool when recruiting.
Joie de vivre: I take Cali and Roxie for a walk, savoring the morning midwestern sky and the omnipresent sound of cicadas. It’s sunny, warm, and humid. Next I go for a 45-minute bike ride because I’ve found that exercise reduces stress and helps me think better. It’s also a great keystone habit.
Transition: Showered up and ready to go by 8:30am (5:30am PT). As I don my work clothes, I begin to (metaphorically) put my Stanford CISO and Chief Privacy Officer hats on. These are closely related yet distinct roles, and I treat them as such.
Purpose: I have a calling: to provide strong leadership in enterprise privacy and cybersecurity. It’s my passion, and it’s important. I long dreamt of working at Stanford, and I’m thankful for the 8 years I’ve had there so far. There’s no place I’d rather be at this point in my life and career.
Leadership: I devote 30 minutes to leadership readings each day, which gets me through another book every couple of weeks. Readings challenge my thoughts, expand my perspectives, provide new ideas, and validate practices that are working. I enjoy it, and it puts me in the right frame of mind for the day ahead. I’m currently reading “It’s Your Ship” by Michael Abrashoff, a recommendation from a Stanford colleague. As with all my books, this one is quickly filling with my handwritten reflections and syntheses.
Earlier this year, I shared a list of my favorite 10 books that I feel encompass the characteristics of leadership that I aspire to. I have since replaced Joel Peterson’s “The 10 Laws of Trust” with his newly-published “Entrepreneurial Leadership”:
- “DRiVE” by Daniel Pink
- “Entrepreneurial Leadership” by Joel Peterson
- “The Progress Principle” by Teresa Amabile and Steven Kramer
- “Measure What Matters” by John Doerr
- “The Effective Executive” by Peter Drucker
- “Good to Great” by Jim Collins
- “The Power of Habit” by Charles Duhigg
- “Getting to Yes” by Roger Fisher
- “The Checklist Manifesto” by Atul Gawande
- “Emotional Intelligence 2.0” by Travis Bradberry
Balcony: Before the hustle and bustle of the work day commences, this is my time to step back and look at the big picture. Are we doing what Stanford needs us to do? Are we focusing on the right things? What trends are emerging?
Outbox: It’s now 9am ET (6am PT), and I have not yet even glanced at my work messages. I firmly adhere to the “outbox” methodology: before reading any incoming messages, I first send the communications that I need to advance our programs. I send out 8 important emails along with several Slack messages, including one about our upcoming Cybersecurity & Privacy Festival. A good start to the work day.
Situational awareness: I allocate a few minutes each day to reading the latest infosec and privacy news, remembering that it’s all too easy to squander time by overconsuming information vs. applying ourselves. Fortunately, a team member created a Slack channel that aggregates articles from multiple sources to provide a quick overview of the landscape, so I start there. With each article, I ask myself “Does this materially change our risk model?” And “Do we need to adjust our priorities?”
Team first: Our team forms the foundation of our information security and privacy programs, so they are always my top priority. To be successful, we need an outstanding team operating at its best, and today my focus is on recruiting. After being fully-staffed with zero turnover for more than three years straight, we currently have a vacancy on the team, so I devote 10–11am (7–8am PT) to selecting the top 10 candidates from our pool of applicants.
Meeting-free days: In the Information Security Office and University Privacy Office, we designate Tuesdays and Fridays as “no-meeting days” to provide large blocks of uninterrupted focus time. This was a suggestion from a team member years ago, and we tried it as an experiment. The experiment was a resounding success, and the team has told me that this was one of the best improvements we ever made.
Meeting-full days: But this model doesn’t fit my role. I have 8 hours of meetings ahead (with 5–10 minute breaks inserted in between). I am in full control of my schedule, so this is by choice. I can send emails and other asynchronous messages outside of core work hours, so this is my opportunity to directly interact with others in real time. A large portion of my meetings are working sessions — we have an objective to accomplish, and we get things done.
Growth mindset: It’s 11am (8am PT), and my first meeting of the day is to ask a trusted colleague for feedback on how I can better gain buy-in from a particular committee at Stanford. I was unhappy with my performance at last week’s committee meeting and am seeking his advice on how to improve. I feel lucky to be surrounded by admirable leaders who are willing to coach me.
Progress: At the end of the day, we’re here to deliver results. In addition to our 60 operational services, we have many initiatives in motion at any given time. The sense of accomplishment is a powerful intrinsic motivator, so we created the conditions for frequent small wins. We do this by working in monthly sprints based on the objectives with key results (OKR) methodology, which also enables us to course correct quickly when needed. I always keep a list of our active projects open in my web browser, and I give it a quick glance before my next meeting to see if anything needs my attention. Not today — all are steadily progressing.
Accountability: Around 1pm (10am PT), a team member notifies me of a freshly discovered incident involving a third party service. We conduct incident response exercises quarterly, so we’re well prepared, and we initiate our response plan. I remind myself that I’m accountable for this incident, regardless of the circumstance.
Compartmentalization: A potpourri of concerns fill my mind: the newly discovered incident is weighing on me, several team members are being impacted by the nearby forest fires, our endpoints are increasingly vulnerable now that most of the university’s personnel are working remotely, how can we accelerate our cloud security strategy, … but I consciously put them aside to focus on a mentoring session at 2pm (11am PT). I want to ensure that the session is valuable to him, so I must be fully present and actively listening. Nothing is more important for the next 50 minutes than my colleague.
Relationships: Our services cannot be successful without strong relationships throughout Stanford, and I invest a substantial portion of my time in this (as do all members of our team). Two of my meetings today are quarterly 1:1’s with key partners at the university. Then comes a welcome surprise — an email from a fellow CISO at another university! I have the deepest respect and admiration for my peers and their teams, and I relish our interactions. Our inter-institutional relationships are key to continuously improving our programs through the open sharing of best practices and lessons learned.
Openness: One of the pillars of our team culture is transparency, and this openness builds trust. Our biweekly team meetings are open to anyone at Stanford who wants to join. At yesterday’s meeting, we had more than 10 guests! We welcome respectful conflict, and we cultivate psychological safety. That’s how we roll. As I respond to a quick policy question via Slack, I adhere to my habit of adding “because” to remind myself to explain “the why”.
Fun: Around 7pm (4pm PT), I’m in between meetings when I see a message from our team’s Chief Fun Officer (a role we created many years ago to “foster a culture of fun through interactive team activities, unique work environments, and office antics”). It’s a reminder about our team activity this Friday afternoon — an online game called “Keep Talking and Nobody Explodes”. Can’t wait for this one!
Balance: I leave my desk around 8pm (5pm PT) for dinner. My wife and I take the dogs to the park to play, then we relax for the following hour.
Communications: 10pm-midnight (7–9pm PT) is my time to catch up on correspondence. There are several key communications for me to review: a campus IT newsletter, our response to a media inquiry, a notification template for a large initiative, and a news article about Cardinal Key. I have a penchant for succinctness, and my edits reflect that. Another 15 emails and 20 Slack messages later, and I’ve attended to the important matters. Next I look a few days ahead on my calendar to ensure that I’m properly prepared for my upcoming meetings and presentations. Reflecting on how fluid my schedule is reminds me how heavily I depend on my assistant Sonia, and how deeply I appreciate her.
Positivity: I’m a firm believer in the virtues of positivity. A positive psyche fuels progress, which in turn boosts psyche — a virtuous cycle. Accordingly, I add a few items to my running list of team accomplishments to recognize at our next team meeting. I also make a point to send a note of gratitude each day. Tonight it’s an email to compliment a team member on the high quality of her recent work. A nice way to end the day.
Grit: By midnight (9pm PT), I feel the cognitive fatigue of another full day. Ours are demanding roles, but deeply rewarding too, and they’re in service of a noble mission. My mind is now calm and clear. I’m unbothered by the many pending matters and relentless cyber threats — they’ll still be there tomorrow. I drift asleep knowing that I did my best for Stanford today. But most of all, I’m thankful for the invaluable foundation of Stanford’s information security and privacy programs: our outstanding team!
